Filtering evidence
You might have thousands, or even millions of hits in your case. Browsing through these results might seem like a time consuming task, but you can make it much more manageable by applying filters.
In AXIOM Examine, the filter bar allows you to create specific conditions for the results that you want to display. You can also stack filters so that each additional filter that you apply refines the displayed results even further.
Types of filters
Depending on the explorer you're using to view your evidence, you'll have a variety of filters available for you to use.
| Filter | Description | Explorer availability |
|---|---|---|
| Attributes | Show evidence in the Connections explorer by attribute of interest such as file name, identifier, sender, and more. | Connections |
| Artifacts | Show evidence by artifact type or artifact group. |
Artifacts Timeline |
| Connectors | Show evidence based on how artifact attributes are related, such as accessed by, transferred to, child of, and more. | Connections |
| Content types | Show evidence based on a specific content type (for example, extracted text (OCR), geolocation data, pictures, video, audio, and more). There is also an option to filter by files that are either accessible or inaccessible to users. | Artifacts |
| Data types | Show evidence in the Timeline explorer based on whether it originated from the Artifacts explorer or the File system explorer. | Timeline |
| Date and time | Show evidence based on date and time. You can search by absolute date/time (a specific range of dates and times) or by relative date/time (around the time of a specified date). |
Artifacts File system Timeline |
| Date and time attributes | Show evidence in the Timeline explorer based on date and time attributes. | Timeline |
| Evidence | Show evidence based on the source. For example, if you have evidence from both computer and iOS images, you can view evidence from the computer, the iOS, or both evidence sources. |
Artifacts Connections Timeline |
| File attributes | Show evidence by file attribute. For example, you can opt to show only the files that are archived, deleted, hidden, or encrypted. To see all the attributes that a particular file has, see the File attributes property in Details. | File system |
| File size | Show evidence by file size (in bytes). You can specify an exact value, a range, or more than/less than values. | File system |
| Keyword lists | Show evidence based on keywords or keyword lists. You can stack keywords or keyword lists to refine your results even further. If you added keywords or keyword lists to your search in AXIOM Process, those lists and keywords appear as filtering options. | Artifacts |
| Keywords / search terms | Show evidence based on keywords and regular expressions that you provide in the search box. |
Artifacts File system Registry |
| Partial results | Show evidence based on whether a result is complete or partial. Because AXIOM Process searches both allocated and deleted space, recovered artifacts can be a mix of complete and partial results. Partial results are valuable but often require a manual investigation of the underlying data. | Artifacts |
| Profiles | Show evidence that you've assigned a profile to. | Artifacts |
| Similar pictures | After you find similar pictures, this filter appears. You can adjust the scale to only view the most similar pictures, or broaden the results. You can also view the reference photo that you're currently using. | Artifacts (Thumbnail view only) |
| Skin tone | Show evidence based on the overall percentage of skin tone—for all different skin colors—in media files. | Artifacts |
| Tags and comments | Show evidence that you've tagged or commented on or evidence that has been tagged by Magnet.AI. Tags are labels that you manually apply to artifacts of interest. For more information about tags, see Tagging evidence. |
Artifacts File system Timeline |
| Timeline categories | Show evidence by timeline category. | Timeline |